-
Notifications
You must be signed in to change notification settings - Fork 107
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
- Loading branch information
1 parent
0a99554
commit c295603
Showing
1 changed file
with
363 additions
and
0 deletions.
There are no files selected for viewing
363 changes: 363 additions & 0 deletions
363
redhat/ocp4/4.16/2024.12.azure.sso.without.group.sync.md
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,363 @@ | ||
| # openshift 4.16 integration with Azure SSO | ||
|
|
||
| OpenShift support integration with Azure SSO through OpenID. In this article, we will show you how to integrate OpenShift 4.16 with Azure SSO. | ||
|
|
||
| # azure portal setting | ||
|
|
||
| In your Azure portal, go to Azure Active Directory -> App registrations -> New registration | ||
|
|
||
|  | ||
|
|
||
| As you can see, we create a `app registration` `azure-ocp-sso`. Let us find the redirect url for the openshift sso. | ||
|
|
||
| Get openshift sso callback host from openshift cli: | ||
|
|
||
| ```bash | ||
| oc get route -n openshift-authentication | ||
| # NAME HOST/PORT PATH SERVICES PORT TERMINATION WILDCARD | ||
| # oauth-openshift oauth-openshift.apps.demo-01-rhsys.wzhlab.top oauth-openshift 6443 passthrough/Redirect None | ||
| ``` | ||
|
|
||
| So the redirect url is `https://oauth-openshift.apps.demo-01-rhsys.wzhlab.top/oauth2callback/azure-ocp-sso` . Now we can create the `app registration` in Azure portal. | ||
|
|
||
|  | ||
|
|
||
| After the app registration is created, we can get the `tenant id` and `client id` from the `Overview` page. Write it down for later use. | ||
|
|
||
|  | ||
|
|
||
| And create a `client secret` in the `Certificates & secrets` page. | ||
|
|
||
|  | ||
|
|
||
| Write it down for later use. | ||
|
|
||
|  | ||
|
|
||
| Now, we need go add some permissions to the app registration. Go to `API permissions` page, click `Add a permission`. | ||
|
|
||
|  | ||
|
|
||
| Add `profile` and `email` permissions with `Delegated permissions`. | ||
|
|
||
|  | ||
|
|
||
| For group sync, we need to add `Directory.Read.All` `GroupMember.Read.All` `User.Read.All` permission with `Application permissions`. | ||
|
|
||
|  | ||
|
|
||
| After the permissions are added, we need to grant admin consent for the permissions. | ||
|
|
||
|  | ||
|
|
||
| And get the endpoint of azure, write it down. | ||
|
|
||
|  | ||
|
|
||
| We also create some groups and add some users to the groups. | ||
|
|
||
| - L1Support(group) | ||
| - l1.u01(user) | ||
| - l1.u02(user) | ||
| - L2Support(group) | ||
| - l2.u01(user) | ||
| - l2.u02(user) | ||
| - L3Support(group) | ||
| - l3.u01(user) | ||
| - l3.u02(user) | ||
| - RetalixSupport(group) | ||
| - ret.u01(user) | ||
| - ret.u02(user) | ||
| - POSIMViewer(group) | ||
| - pos.v01(user) | ||
| - pos.v02(user) | ||
| - POSIMSupport(group) | ||
| - pos.s01(user) | ||
| - pos.s02(user) | ||
| - POSIMAdmin(group) | ||
| - pos.a01(user) | ||
| - pos.a02(user) | ||
|
|
||
| <!--  --> | ||
|
|
||
|  | ||
|
|
||
| <!--  --> | ||
|
|
||
|  | ||
|
|
||
| # openshift sso setting | ||
|
|
||
| Go to openshift web console, go to `Administration` -> `Cluster Settings` -> `Configuration`, search for `oauth`. | ||
|
|
||
|  | ||
|
|
||
| In the `oauth` page, click `Add` to add a new `OpenID Connect`. | ||
|
|
||
|  | ||
|
|
||
| Input the `name` `client id` `client secret` `endpoint` in the openshift sso page. | ||
|
|
||
| > [!NOTE] | ||
| > The `name` must be the name of the `app registration` in Azure portal. | ||
| > | ||
| > The `preferred username` must be `upn`. | ||
| - https://learn.microsoft.com/en-us/azure/openshift/configure-azure-ad-ui | ||
|
|
||
|  | ||
|
|
||
| If you make something wrong, and want to change the config, you can edit the `oauth` object in openshift. | ||
| ```bash | ||
| oc edit oauth/cluster | ||
| ``` | ||
|
|
||
| If you want to remove a user: | ||
| ```bash | ||
| oc delete user <username> | ||
|
|
||
| oc delete identity <user-identity> | ||
| ``` | ||
|
|
||
| # openshift group sync | ||
|
|
||
| OpenShift SSO integration with azure will create user in openshift during the first login. But the group information will not be synced. We need to use `Group Sync Operator` to sync the group information. | ||
|
|
||
| Reference: | ||
| - https://cloud.redhat.com/experts/idp/az-ad-grp-sync/ | ||
|
|
||
| In operator hub, search `group` and install the `Group Sync Operator`. | ||
|
|
||
|  | ||
|
|
||
| Keep the default setting, and install. | ||
|
|
||
|  | ||
|
|
||
| Create azure secret in openshift. | ||
|
|
||
| ```bash | ||
| oc create secret generic azure-group-sync -n group-sync-operator \ | ||
| --from-literal=AZURE_TENANT_ID=$AZURE_TENANT_ID \ | ||
| --from-literal=AZURE_CLIENT_ID=$AZURE_CLIENT_ID \ | ||
| --from-literal=AZURE_CLIENT_SECRET=$AZURE_CLIENT_SECRET | ||
|
|
||
| ``` | ||
|
|
||
| Create a `GroupSync` object in openshift, with the example config below. | ||
|
|
||
|  | ||
|
|
||
| ```yaml | ||
| apiVersion: redhatcop.redhat.io/v1alpha1 | ||
| kind: GroupSync | ||
| metadata: | ||
| name: azure-groupsync | ||
| namespace: group-sync-operator | ||
| spec: | ||
| providers: | ||
| - name: azure | ||
| azure: | ||
| credentialsSecret: | ||
| name: azure-group-sync | ||
| namespace: group-sync-operator | ||
| groups: | ||
| - L1support | ||
| - L2support | ||
| - L3support | ||
| - RetalixSupport | ||
| - POSIMViewer | ||
| - POSIMSupport | ||
| - POSIMAdmin | ||
| prune: false | ||
| schedule: '* * * * *' | ||
| ``` | ||
| # openshift role and rolebinding | ||
| Now, user can login, and group information is synced. We need to create role and rolebinding for the groups. So after user login, it has the correct permission. | ||
| Now, we create role for different groups. Below is an example for the roles. You can create your own roles based on your requirement. | ||
| ```bash | ||
| # create namespace for demo | ||
| oc create ns retalix | ||
|
|
||
| oc create ns posim | ||
|
|
||
| # define the roles, change the rules based on your requirement | ||
| cat << EOF > ${BASE_DIR}/data/install/demo.role.yaml | ||
| --- | ||
| apiVersion: rbac.authorization.k8s.io/v1 | ||
| kind: ClusterRole | ||
| metadata: | ||
| name: l1-support-role | ||
| rules: | ||
| - apiGroups: [""] | ||
| resources: ["pods", "services", "events", "namespaces"] | ||
| verbs: ["get", "list", "watch"] | ||
| - apiGroups: ["apps"] | ||
| resources: ["deployments", "replicasets"] | ||
| verbs: ["get", "list", "watch"] | ||
|
|
||
| --- | ||
| apiVersion: rbac.authorization.k8s.io/v1 | ||
| kind: ClusterRole | ||
| metadata: | ||
| name: l2-support-role | ||
| rules: | ||
| - apiGroups: [""] | ||
| resources: ["pods", "services", "events", "namespaces", "configmaps", "endpoints"] | ||
| verbs: ["get", "list", "watch", "update"] | ||
| - apiGroups: ["apps"] | ||
| resources: ["deployments", "replicasets", "daemonsets", "statefulsets"] | ||
| verbs: ["get", "list", "watch", "update"] | ||
| - apiGroups: [""] | ||
| resources: ["pods/log", "pods/exec"] | ||
| verbs: ["get", "list", "create"] | ||
|
|
||
| --- | ||
| apiVersion: rbac.authorization.k8s.io/v1 | ||
| kind: ClusterRole | ||
| metadata: | ||
| name: l3-support-role | ||
| rules: | ||
| - apiGroups: ["*"] | ||
| resources: ["*"] | ||
| verbs: ["get", "list", "watch", "create", "update", "patch", "delete"] | ||
| - apiGroups: [""] | ||
| resources: ["pods/exec", "pods/log"] | ||
| verbs: ["create", "get", "list"] | ||
| - apiGroups: ["security.openshift.io"] | ||
| resources: ["securitycontextconstraints"] | ||
| verbs: ["get", "list", "watch"] | ||
|
|
||
| --- | ||
| apiVersion: rbac.authorization.k8s.io/v1 | ||
| kind: Role | ||
| metadata: | ||
| name: retalix-support-role | ||
| namespace: retalix | ||
| rules: | ||
| - apiGroups: [""] | ||
| resources: ["pods", "pods/log", "pods/exec", "services", "endpoints", "persistentvolumeclaims", "configmaps", "secrets", "events", "namespaces"] | ||
| verbs: ["get", "list", "watch", "create", "update", "patch"] | ||
| - apiGroups: ["apps"] | ||
| resources: ["deployments", "daemonsets", "replicasets", "statefulsets"] | ||
| verbs: ["get", "list", "watch", "create", "update", "patch"] | ||
| - apiGroups: ["batch"] | ||
| resources: ["jobs", "cronjobs"] | ||
| verbs: ["get", "list", "watch", "create", "update", "patch"] | ||
| - apiGroups: ["networking.k8s.io"] | ||
| resources: ["ingresses"] | ||
| verbs: ["get", "list", "watch"] | ||
| - apiGroups: ["route.openshift.io"] | ||
| resources: ["routes"] | ||
| verbs: ["get", "list", "watch"] | ||
|
|
||
| --- | ||
| apiVersion: rbac.authorization.k8s.io/v1 | ||
| kind: Role | ||
| metadata: | ||
| name: posim-viewer-role | ||
| namespace: posim | ||
| rules: | ||
| - apiGroups: ["*"] | ||
| resources: ["*"] | ||
| verbs: ["get", "list", "watch"] | ||
|
|
||
| --- | ||
| apiVersion: rbac.authorization.k8s.io/v1 | ||
| kind: Role | ||
| metadata: | ||
| name: posim-support-role | ||
| namespace: posim | ||
| rules: | ||
| - apiGroups: [""] | ||
| resources: ["pods", "pods/log", "pods/exec", "services", "endpoints", "configmaps", "events", "namespaces"] | ||
| verbs: ["get", "list", "watch", "create", "update", "patch"] | ||
| - apiGroups: ["apps"] | ||
| resources: ["deployments", "replicasets", "statefulsets"] | ||
| verbs: ["get", "list", "watch", "update", "patch"] | ||
| - apiGroups: ["batch"] | ||
| resources: ["jobs"] | ||
| verbs: ["get", "list", "watch", "create"] | ||
|
|
||
| --- | ||
| apiVersion: rbac.authorization.k8s.io/v1 | ||
| kind: Role | ||
| metadata: | ||
| name: posim-admin-role | ||
| namespace: posim | ||
| rules: | ||
| - apiGroups: ["*"] | ||
| resources: ["*"] | ||
| verbs: ["*"] | ||
| EOF | ||
|
|
||
| oc apply -f ${BASE_DIR}/data/install/demo.role.yaml | ||
|
|
||
| # oc delete -f ${BASE_DIR}/data/install/demo.role.yaml | ||
|
|
||
| ``` | ||
|
|
||
| Apply the role to groups with rolebinding. First, select a group. | ||
|
|
||
|  | ||
|
|
||
| Switch to rolebinding view, and create a rolebinding for the group. | ||
|
|
||
|  | ||
|
|
||
| We want to define cluster role binding for the group. So we select `ClusterRoleBinding` in the `RoleBinding` page. Give it a name, and select the role we created before. | ||
|
|
||
|  | ||
|
|
||
| If you want to add a namespaced role to another group. Select `RoleBinding` in the `RoleBinding` page. Give it a name, find the namespace, and select the role we created before. | ||
|
|
||
|  | ||
|
|
||
| # test with login | ||
|
|
||
| First, we try to login as `l1.u01` user, which is in `L1Support` group. | ||
|
|
||
|  | ||
|
|
||
| Login with `l1.u01` user's `user principal name` and password. You can see the web console. | ||
|
|
||
|  | ||
|
|
||
| If you try to login as `ret.u01` user, which is in `RetalixSupport` group, you can see the web console. | ||
|
|
||
|  | ||
|
|
||
| After user login, you can see the user in the `User` page from an administrator account. | ||
|
|
||
|  | ||
|
|
||
| You can see group synced. | ||
|
|
||
|  | ||
|
|
||
| And user belongs to the group also synced. | ||
|
|
||
|  | ||
|
|
||
| # without group sync | ||
|
|
||
|
|
||
|
|
||
| # end | ||
|
|
||
| - https://cloud.redhat.com/experts/idp/entra-id-with-group-names/ | ||
|
|
||
| - https://vmware.fqdn.nl/2023/05/10/openshift-oauth-with-azure-idp/ | ||
|
|
||
| ```bash | ||
| oc get pod -n openshift-authentication | ||
|
|
||
| oc logs -n openshift-authentication oauth-openshift-7dcdcb7c74-fvtdr | ||
|
|
||
| ``` | ||
|
|
||
| # debug |